2.8.0.beta7: Security Release, Fast Edits, Topic Bookmarks, and more

Announcements
1

New features in 2.8.0.beta7

:warning: Security fix

This beta includes a critical security fix. All sites are encouraged to update as soon as possible. This fix prevents a RCE via malicious SNS subscription payload.

Fast edits

Submit a post, only to realize you need to make a small change? With fast edits, this can be done quicker and easier than ever before. No need to open the full composer, just highlight the word(s) you need to fix, click edit, and make the change right there.

image

image

As you and your users try this out, we’d love to hear your suggestions here on meta.discourse.org in the feature category. Find a bug? Let us know in bug.

Please note, fast edit can’t handle complex post content - for example editing multiple cells in a table. When fast edit is unable to work, the full composer will open automatically.

Topic Bookmarks

Topics can now be bookmarked, not just individual posts. When a topic is bookmarked, users following the bookmark will land at their last unread position automatically. Topic bookmarks can be created via the footer when no other posts are bookmarked.

Improve “blank page syndrome”

New users, as well as those users without posts, likes, notifications, etc. frequently land on pages within Discourse that are “blank”. Instead of showing a blank page, Discourse now displays just in time info so the user can learn what will eventually be shown. Such content has been added to the activity/topics page, activity/read page, user messages page, and within the group messages pages.

Admin approval via two-factor authentication

When granting admin access, if the existing admin has two-factor authentication enabled they will now be prompted to enter an authentication code (or use their security key) to approve the access grant. When two-factor is not enabled, a confirmation email will be sent.

Allow recovery of deleted small action posts

Ever close a topic and delete the small post created, only to realize you needed it? So you go back, open the topic, and close it again, so you can have the small post? No more! Small posts can now be restored just like a normal post.

image
image792×264 9.42 KB

Site Setting to disable notifications for topic category edits

A new site setting, disable category edit notifications allows admins to control whether users are notified when moderators move their post to a different category.

Allow users to remove their vote from single choice poll

Previously, if a user made a selection in a single choice poll, they could only change their vote - it wasn’t possible to remove it. Users can now use the remove vote button, or select the same option again to remove their vote.

image
image704×229 5.91 KB

Enable auto dark mode by default for new sites

Discourse has long shipped with multiple themes, including a dark theme. New sites now enable both light and dark themes by default, and switch automatically based on users’ device preferences.

Permanent deletion of posts and topics

By default, Discourse uses soft-delete, so posts and topics can be recovered as needed by site staff. There may be times where a post or topic needs to be fully deleted - removed from the database entirely - for example due to a legal issue. A new site setting, can permanently delete has been added to support this. This setting is not accessible via the UI - an admin with SSH access must enable it via the rails console. Once enabled, admins can permanently delete posts. Admins must wait at least one minute after a post is deleted to be able to permanently delete it. Posts can be permanently deleted without waiting if the initial deletion was made by another admin. Moderators do not have the ability to permanently delete posts.

Accessibility

  • Don’t output aria label identical to title
  • Use shorter label for hamburger menu
  • Fix several minor issues
  • Add labels to some search fields, category notification selector
  • Add more descriptive labels for some dropdowns
  • Use listbox role for dropdowns
  • Do not default to label for aria-label
  • Improve create account modal for screen readers

Additional features

This beta has so many new features we can’t detail them all. Below are some additional features of note. You can find the full list of new features in the following post.

  • Hide suspended users from site-wide search to regular users
  • Enable users to choose unseen as a default view
  • Display new/unread count in browse more messages for PMs.
  • Add game consoles to unsupported browsers
  • Cook drafts excerpt in user activity
  • User/category/tag results in full page search
  • Humanize file size error messages
  • Shortcuts for quote (q) and fast edit (e)
  • Stop using email as source for username and name suggestions for Single Sign On
  • Add a hidden setting that enables using email as a source for username suggestions
35 Likes
3

Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements

Many plugins

  • Bug fix
    • We’ve patched numerous bugs in many of our plugins
  • Translations
    • We’ve updated the translations in many of our plugins

Assign

New Features

  • Assignment target is polymorphic
  • Better UI for group assignments
  • Advance search groups
  • New assignable group option instead of messageable

Bug Fixes

  • More accurate and flexible random assign automation
  • Assignment table migration when SKIP_POST_DEPLOYMENT_MIGRATIONS
  • N+1 query on list of private messages assigned
  • Refresh first post after assign and unassign
  • Tests were broken on Ember CLI
  • Properly fabricate data for topic query specs.
  • Allow Never selection for frequency of assigned topic reminders
  • N+1 assignment
  • Add assigned fields to suggested topic serializer
  • Unassign/assign when group pm is archived

UX Changes

  • Remove an obsolete css class from an element
  • Fix input styling in group assignments page
  • Fix input alignment following core changes

Voting

Performance

  • Exclude vote fields in topic-list-item serializer for PMs.

Staff Notes

UX Changes

  • Fix alignment of user profile buttons

Chart

Bug Fixes

  • Fixes regressions due to ember-cli and chartjs updates
  • Add pluginId to avoid deprecation

Akismet

New Features

  • Various improvements and refactoring

Bug Fixes

  • Show akismet state only if it exists
  • Don’t trigger a spam check when a post is edited by a staff member.

Calendar

New Features

  • Use default calendar to save events

Bug Fixes

  • Add Recurrence Translation for ‘every_two_weeks’
  • Remove unused RRuleGenerator param
  • Two week recurring events not working
  • Small region preferences select
  • Mobile style fix
  • Safely set one key/value of bulkInvites
  • Deprecation with pluginId

UX Changes

  • Fix date field overlap
  • Add tabs to filter between different types of RSVPed guests
  • Fix slider appearance
  • Fix overflow + wrap issues for long usernames

Data Explorer

New Features

  • Add Data Explorer Params to the URL on run

Bug Fixes

  • Assign queries

UX Changes

  • Fix button alignment following core changes

Ssolved

New Features

  • Improve blank page syndrome
  • Enable solved for topics with specific tags.

Bug Fixes

  • Import test helpers properly
  • Typo in mixin and incorrect setting description

Performance

  • Use UserAction to count accepted answers

Encrypt

Bug Fixes

  • Change search to fully match the query
  • Raise error on huge file uploads
  • Improve search in encrypted posts
  • Improve search in encrypted topics
  • Use unique pluginId for modifyClass
  • Decrypt drafts in user stream
  • Unescape emoji in titles from PMs quick menu
  • Deprecation with pluginId

Performance

  • Preload encryption keys in topic lists

BCC

Bug Fixes

  • Use modifyClass API instead of calling reopen

Ad Plugin

Bug Fixes

  • Use imports instead of Discourse global

SAML

Bug Fixes

  • Pin the plugin in commit for old versions of Discourse.

Github

Bug Fixes

  • Check if badge can be used as a title

Code Review

Bug Fixes

  • Topic-list template should match core changes
  • Fix deprecation by adding pluginId

RSS Polling

New Features

  • Allow setting discourse tags for each feed

Subscriptions

Bug Fixes

  • Set interval field correctly in object root for recurring plans.

Policy

Bug Fixes

  • Deprecation with missing pluginId

Zoom

Bug Fixes

  • Post creation was broken when the category experts plugin is also installed
  • CSP issue, anonymous webinar visibility

Shared Edits

Bug Fixes

  • Improve localization and disabled state
  • Deprecations with modifyClass

Reactions

Bug Fixes

  • Bump version to 0.2
  • Deprecation on modifyClass for pluginId

Security Changes

  • Leaking PMs and secure categories topics

Saved Searches

Bug Fixes

  • We need to import visit or tests fail

OpenID Connect

New Features

  • Token endpoint client_secret_post authentication, and explicit claims

Bug Fixes

  • Only send claims parameter if it has been set
  • Correctly handle end_session_endpoint with query parameters

Category Experts

New Features

  • Job to mark historical posts as category expert posts

Bug Fixes

  • Skip post processing for non-regular posts
  • Don’t try to render buttons when no data
  • Switch post handling to DiscourseEvent
  • Skip posts that error in historical job
  • Fetch all groups for group-chooser in category settings

User Notes

UX Changes

  • Fix alignment of user profile buttons

Sign in with Apple

UX Changes

  • Minor copyedit for login button in mobile view.

Docs

New Features

  • Add filter + alpha & numeric sort to categories and tags in docs sidebar

Bug Fixes

  • Ignore category filter when incorrect param

UX Changes

  • Add in:docs quick tip in search widget

Canned Replies

Bug Fixes

  • isVisible conflicts with a deprecated ember property

Chat Integration

Bug Fixes

  • Update dashboard warning link to point to new chat-integration URL

Additional Features and Fixes

Click to expand

New Features

  • Change all core to use uppy-image-uploader
  • Add reversed and type to allowed attributes
  • Cache CORS preflight for MessageBus
  • Cache CORS preflight requests for 2h
  • Add downloadCalendar to plugin api
  • Adds an API to exclude a tag from a TopicQuery
  • Save local date to calendar
  • Return subcategories on categories endpoint
  • Make username suggester suggest user1, user2 etc. for input that contains invalid characters only
  • Add update banner to the categories and latest topics view
  • Local dates range on click
  • Remove duplicated messages about new advices
  • Make the multisite config path configurable
  • Publish read topic tracking events for private messages.
  • Allow plugins to extend Groups

Bug Fixes

  • Make the verbose_auth_token_logging setting off by default
  • Show search context only in topic routes
  • Broken quick search on iPadOS
  • Reset sso email and payload when user navigates away
  • None row doesn’t have a value, use class to target it
  • Topic timeline not updating in megatopics.
  • Do not query backend when searching “in this topic”
  • Remove ‘crawl_images’ site setting
  • Only replaces double quotes and uses unicode
  • Do not show recipient user in email participants list
  • Clarify None Needed option when editing bookmarks
  • Hide full screen toggle button when textarea is disabled
  • Category and tag picker alignment on mobile
  • Correct api version after minor bump
  • Improve quick search speed and result highlights
  • Allow staff to view pending/expired invites of other users
  • Also track textContent mutations
  • Decorate posts that are loaded after the initial render in post stream
  • Improvements for download local dates
  • Ensure embedded replies/reply-to links open in _blank
  • Groups using users icon were lacking margin in search
  • Attempts to observe preview mutation asap
  • Attempts to enforce caret position in filter
  • Use absolute URLs in search shortcut
  • BackupRestore::DatabaseRestorer failures with Ruby 3
  • Show group filter only when user is logged in and groups are present
  • Extract filter pm and categories from UserAction
  • Nil the baked version after moving the posts.
  • Use category’s default sort order in latest & unseen filters only.
  • Missing excerpt for post small actions in topic timeline.
  • Remove List-Post email header
  • Move check if user is suspended later
  • Update translation key to match flag reason.
  • Phpbb import - attachments not embedded in posts
  • Handle separately invite to topic and forum
  • Topic_tracking_state not erroring when missing user_stat
  • Ruby 3 does not freeze interpolated string
  • Fix local-dates in non-post contexts, and in long topics
  • Correct password change path for password managers
  • Resolve quoting issues by reverting new shortcuts
  • Disable previews if diffhtml is enabled
  • Apply quote selection workaround to all browsers
  • Selection going missing in Safari
  • JS error when showing topic search results
  • Strip discourse-logged-in header during force_anonymous!
  • Do not persist tags query param
  • Tooltip in quick search didn’t work
  • Check env for multisite config path even if config file exists
  • Disable Show results if nobody voted
  • Hide form after password reset
  • Parse address lists in embedded emails
  • Local date trim when no time available
  • Select all button on group assigned page
  • Reenable global setting HTML support.
  • Display embeddable host’s post to category.
  • Support Ruby 3 keyword arguments
  • Ember CLI was always loading the admin payload in dev mode
  • Vimeo private video oneboxes were broken
  • Use addresses to compare email header
  • Stop tracking incoming message after navigating away take 2.
  • Stop incoming message tracking after navigating away.
  • Make score’s reason link building more explicit
  • Empty state message on the user bookmarks page
  • Exclude PMs that user sent to themselves.
  • Topic.similar_to results in invalid query for certain locales.
  • Do not show ‘new or updated topics’ for mobile categories page
  • Follow the canonical URL when importing a remote topic.
  • Error loading suggested topics for anon users.
  • Notify incoming to categories and latest topics view specifically.
  • Restrict other user’s notification routes
  • Incorrect interpolation was limiting to 1 dispatch / component
  • Do not publish post for PM topic tracking if not new for user.
  • Support Ruby 3 keyword arguments for DiscourseRedis
  • Workaround Safari 15 createImageBitmap bug
  • Do not display userColorSchemeId in the UI
  • Make update banner always available on the categories view
  • More robust tabindex restriction on preview
  • Ensure subcategory list is hidden when not required
  • Do not error _removeDeleteOnOwnerReplyBookmarks on navigate
  • Don’t try to boot the ember app on old browsers
  • Correctly defines data-attributes used by local-dates
  • Feature detect globalThis
  • include_ serializer methods must end with ?
  • Use unread post excerpt for topic-level bookmark excerpt
  • Use active record update_attribute instead of mini sql.
  • Do not reload card if already loaded
  • Handle forwarded email quotes around Reply-To display name
  • Return empty array when no parent for range
  • Rss gem is bundled gem since Ruby 3
  • Empty state message on the group messages pages
  • Update only passed custom fields
  • Hoisting linebreaks shouldn’t fail for HTML5 elements
  • Offer site_logo_dark_url as an option for dark mode themes
  • Add locales for group mention PM variants
  • Remove incoming messages for read events.
  • Address ArgumentError to support Ruby 3 keyword arguments
  • Prevents extreme cases to overflow in selected content
  • Do not suggest Emoji when in open code blocks
  • Update only present fields in request
  • Optimistically fix topic timeline state issues
  • Use <textarea> for theme translations
  • Do not error mobile upload button if !allowUpload
  • Mobile nav styling
  • Give the topic timeline unique keys for state
  • Make sure S3 object headers are preserved on copy
  • Don’t publish PM archive events to acting user.
  • Don’t attempt to migrate multisite test db while holding the mutex
  • Resolve short URLs after diffHTML was loaded
  • Correct the play icon position
  • Do not replace in mentions and hashtags
  • Display unread/new PM links only when viewing own user.
  • Remove dismissed new topics from PM topic tracking state.
  • Remove dismiss read topics from PM topic tracking state.
  • Better positioning for “Skip to main content” button
  • Ember CLI was being hijacked before potential errors
  • Composer height issue in Safari on iOS 15
  • Ignore canonical link for medium.com oneboxes
  • Do not show spoiler content in RSS
  • Always show the creation date of posts in crawler view
  • Correct highest post number for read topic tracking state.
  • Better filter for groups search
  • Error in Ember CLI environment
  • Capture CC addresses for forwarded emails
  • Perform agree_and_keep action only if possible.
  • Correct the forwarded by user small post for group inbox
  • Use random file name for temporary uploads
  • Search was not being initialized properly.
  • We weren’t properly resetting the mobile state between tests.
  • Don’t attempt to migrate concurrently with other migrations
  • Allow single string values on custom multiple select fields and not just arrays
  • Increase chunk size to fetch title tag correctly

UX Changes

  • Adjust quick search input width
  • Better topic search experience
  • Show fewer toolbar icons in mobile composer
  • Display full-page user search in a grid
  • Better visibility for context search
  • Add Enter hint to search dropdown
  • Add missing translation
  • Remove aria-label for buttons when title attribute exists.
  • Improve route hierarchy in for user-invites
  • Restore new messages button on mobile on PM route.
  • Adds shortcuts for quote (q) and fast edit (e)
  • Add keyboard shortcut for fast edits
  • More consistent shortcut labels for macOS
  • Fix alignment of composer when tags are disabled
  • Revamp quick search
  • Change layout of invites page to match other user pages
  • Global notice no longer accepts HTML.
  • Capitalize unsubscribed email locale
  • Use consistent category badge font size in dropdowns
  • Fix label in search when tagging is disabled
  • PM inboxes being expanded incorrectly when viewing tags.
  • Don’t display group messages link for group with no messages.
  • Show scrollbar only when needed in dropdowns
  • Adjust mobile spacing for full page search
  • Ensure sticky elements don’t overflow header
  • Better placement for bulk select actions button
  • Move fast edit before sharing
  • Adjust quote button position on mobile
  • Add second Search button on mobile
  • Share button margin consistency
  • Fix profile button spacing
  • Improve composer button bar on mobile
  • Prevent invite form fields from resizing
  • Fix date input icon display issues
  • Minor fast edit tweaks
  • Improves fast edit fallback handling
  • Optionally show a “Summarize” button in topic timeline
  • Fix tab groups editing layout issues on mobile
  • Use standard font size for buttons at the end of /top page
  • Fix mobile styling for admin color schemes
  • Fix alignment for admin controls on mobile
  • Fix date input display in iOS
  • Minor layout tweaks to dropdowns
  • Normalize sizing for inputs, buttons, dropdowns
  • Adjust button spacing
  • Limit select-kit tag chooser width
  • Remove :empty on topic-statuses, clean up

Performance

  • Reduce work when external sources are allowed in InlineUploads
  • Use a subquery when excluding a tag from topic query.
  • Avoid running ignored users DB query for anon users.
  • Revert all inboxes from messages route.
  • Improve database query perf when loading topics for a category.
  • Fix N+1 queries in SiteSerialier.
  • Improve query performance all inbox private messages.
  • Avoid running query unnecessarily when updating bookmark.
  • Avoid additional database query when viewing own user.
  • Improve query perf when fetching unread for PM topic tracking state.
20 Likes